Introduction
Google searches for the term “privacy” reached new highs over the past month. The ascension of privacy issues in the national consciousness comes as no surprise considering recent revelations of Cambridge Analytica’s data scandals, Facebook CEO Mark Zuckerberg’s recent testimony before Congress, and prospects of increased regulation on privacy and data.
The concern over privacy is not new. The phrase, “If you’re not paying for it, you are the product,” and similar analogues have become defining sentiments in the information age. Yet, our privacy laws have struggled to keep up. Our current system of protecting privacy exists in a patchwork system that regulates discrete sectors and types of information, often creating overlapping and contradictory protections.
In response to the lagging protections, a majority of Americans have become concerned over the degree to which their privacy is protected. This week, we take stock of some of the proposals for comprehensive privacy reform that have been put forth.
Europe’s General Data Protection Regulation
The General Data Protection Regulation (GDPR) is a rule passed by the European Union in 2016, set to go into effect on May 25th, 2018. Among the chief features of the GDPR are consent, data subject rights, and strong penalties.
The GDPR sets a high bar for consent requirements in obtaining personal data. Any time a company collects personal data on an EU citizen, it must obtain express consent from that person. Individuals also have the right to withdraw their consent at any time. The GDPR specifically states, “It shall be as easy to withdraw as to give consent.” Furthermore, “the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.” On its face, the GDPR seems to require more than just changing the text of “click to proceed” boxes in order to meet compliance.
In addition to consent requirements, the GDPR provides several rights to those who’s information is collected (data subject rights). Most notably, the “Right to be Forgotten” (or the Right to Erasure) “entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.” Mirroring the Right to be Forgotten, the “Right to Access” provides the right for data subjects to check with companies whether personal data concerning them is being processed, and also the right to obtain a copy of the personal data (free of charge) that has been collected on him or her.
Other notable rights include the Right to be Notified where a data breach is likely to “result in a risk for the rights and freedoms of individuals” and the Right to Data Portability, which includes the right for a data subject to receive the personal data concerning them in a “commonly used and machine-readable format and have the right to transmit those data to another [company].”
Finally, to back its requirements, the GDPR employs severe penalties. Maximum fines are set at 4 percent of a company’s global turnover or 20 million Euros, whichever is higher. One would be hard-pressed to argue that the GDPR is an inconsequential paper tiger.
California’s Proposed Consumer Privacy Act
California is set to introduce a ballot in November 2018 that would strengthen privacy protections for residents of the state. If approved, the ballot measure would enact the California Consumer Privacy Act (CCPA). Like the GDPR, the CCPA aims to increase data subjects’ abilities to access and control their own data. It does not, however, go as far as to establish a Right to be Forgotten.
The CCPA provides three key consumer rights: First, titled the “Right to Know What Personal Information is Being Collected,” consumers have the right to request that a business disclose the categories of personal information that it has collected about him or her. Second, the “Right to Know Whether Personal Information is Sold or Disclosed and to Whom” increases consumers’ understanding of how their information is being used. Third, the “Right to Say No to Sale of Personal Information” creates an “opt-out” right that directs a business not to sell a consumer’s personal information.
In addition to the right to opt out, the CCPA prohibits businesses from discriminating against a consumer because the consumer exercised one of the aforementioned three rights. Like the GDPR, the CCPA provides for statutory penalties to violations of the act. Section 4.9 of the proposal creates a private right of action for consumers who have suffered a violation of the CCPA. The penalties provide for up to $3,000, or actual damages, whichever is greater, for each violation from the business.
The CCPA undoubtedly reflects some of the aims and principles articulated in the GDPR. Although it does not go as far as the GDPR in many respects, it represents a growing desire for a more comprehensive system of privacy and data protection.
The Obama Administration’s Consumer Privacy Bill of Rights
In 2012, President Obama’s administration presented a “blueprint for privacy in the information age” that was to provide guidance on what consumers should be able to expect when it comes to their personal data. The proposed Consumer Privacy Bill of Rights (CPBR) was not a strict set of laws, but rather a set of values for consumer privacy. The administration’s efforts were unsuccessful. Congress failed to take up baseline consumer privacy legislation, while privacy advocates chastised the bill for not going far enough. Still, the CPBR provides a look at the kind of values that privacy rights reform may choose to embrace.
The CPBR outlines seven consumer rights:
- INDIVIDUAL CONTROL: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
- TRANSPARENCY: Consumers have a right to easily understandable and accessible information about privacy and security practices.
- RESPECT FOR CONTEXT: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
- SECURITY: Consumers have a right to secure and responsible handling of personal data.
- ACCESS AND ACCURACY: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
- FOCUSED COLLECTION: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
- ACCOUNTABILITY: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
While the proposed bill would have issued some baseline data-processing requirements for all types of companies, it ultimately called on industries to develop their own codes of conduct on handling consumer information.
Similar to the GDPR and the CCPA, the Consumer Privacy Bill of Rights places large emphasis on the users’ ability to understand and control the information collected on them and how it is being used. The CBPR, however, does not create rights that are as specific as those in the GDPR and CCPA, and notably, does not specify what the consequences of violating such rights would be (only that there should be measures to assure adherence to the Bill).
Cross-Comparisons
The primary focuses of comprehensive privacy rights reform clearly center around a desire for improving transparency in what information is being collected and how that information is used and shifting control of that collection and use to users. In furthering those goals, substantive differences along three key dimensions have surfaced: (1) the range of rights sought to be created/protected, (2) the specificity to which those rights are defined, and (3) the severity of enforcement/punishment measures designed to assure accountability. While the right set of privacy protections and what the public is willing to accept in the current political climate may be in flux, one thing is unambiguous – the burgeoning sentiment that traditional patchwork mechanisms for enforcing privacy rights have become antiquated in the information age.